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Abstract 

We present strong attacks against quantum key distribution schemes 
which use quantum memories and quantum gates to attack directly the 
final key. We analyze a specific attack of this type, for which we find 
the density matrices available to the eavesdropper and the optimal 
information which can be extracted from them. We prove security 
against this attack and discuss security against any attack allowed by 
the rules of quantum mechanics. 

PACS number(s): 03.65.Bz, 89.70, 89.80 

Quantum cryptography |l|, |j, [3|, |J [5| uses quantum mechanics to perform 
new cryptographic tasks — especially information secure key distributions - 
which are beyond the abilities of classical cryptography. Unfortunately, the 
security of such a key is still unproven: Sophisticated attacks (called coherent 
or joint attacks) which are directed against the final key were suggested; The 
analysis of such attacks is very complicated, and, by the time this work was 
submitted, security against them was proven only in the non-realistic case of 
ideal (error-free) channels || |7|. The security in the real case, which is crucial 
for making quantum cryptography practical, is commonly believed but yet 
unproven. A proof of security must bound the information available to the 
eavesdropper (traditionally called Eve), on the final key, to be negligible 
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(i.e., much smaller than one bit). A protocol is considered secure if the 
adversary is restricted only by the rules of quantum mechanics, and a protocol 
is considered practical if the legitimate users are restricted to use existing 
technology. In this work we obtain the strongest security result for practical 
protocols. We suggest collective attacks (simpler than the joint attacks) which 
are simple enough to be analyzed, but are general enough to imply (or at 
least suggest) the security against any attack. We prove security against the 
simplest collective attack: we generalize methods developed in || in order to 
calculate Eve's density matrices explicitly, and to find the information which 
can be obtained from them; we show that it is negligible. Our result also 
provides better understanding of the issue of information splitting between 
two parties which is a fundamental problem in quantum information theory. 
Parts of this work were done together with Dominic Mayers. 

In any quantum key distribution scheme, the sender, Alice, sends to the 
receiver, Bob, a classical string of bits by encoding them as quantum states. 
In the two-state scheme @ (B92 scheme) a classical bit is represented by ei- 
ther of two non-orthogonal pure states, which can be written as ipo = fe^), 

and ipi = (j^jjfgj • Bob performs a test which provides him with a conclusive 
or inconclusive result. For instance, he can test whether a specific parti- 
cle is in a state ipo or a state orthogonal to it tpo'; A result ipQ is treated 
as inconclusive and a result ipo is identified as ipi. Alice and Bob use also 
an unjammable classical channel to inform which bits were identified con- 
clusively, and to compare some of the common bits in order to estimate the 
error-rate. They must accept some small error-rate p e due to imperfections in 
creating, transmitting and receiving of the quantum states. If the estimated 
error-rate exceeds the allowed error-rate they quit the transmission and do 
not use the data, thus any eavesdropping attempt is severely constrained to 
induce an error-rate smaller than p e . Alice and Bob are now left with similar 
n-bit strings which contain errors. They randomize the order of the bits and 
correct the errors using any error-correction code The error-correction 
code is usually made of r parities of substrings (where the parity bit p(x) of 
a binary string x is zero if there is even number of l's in x, and one other- 
wise). Alice sends these parities to Bob (using the classical channel), who 
uses them to obtain a (possibly shorter) string identical to Alice's, up to an 
exponentially small error probability. Finally, Alice and Bob can amplify the 
security of the final key by using privacy amplification techniques ||10|| : by 
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choosing some parity bits of substrings to be the final key. Their aim is to 
derive a final key on which Eve's average information is negligible. 

Eve can measure some of the particles and gain a lot of information on 
them, but this induces a lot of error. Hence, she can attack only a small por- 
tion of the particles, and this reduces her information on the parity of many 
bits exponentially to zero. Translucent attacks JL1] are much more powerful: 
Eve attaches a probe to each particle and performs some unitary transfor- 
mation, after which her probe is correlated to the transmitted state. In the 
case where each probe is left in a pure state [[□]], and measured separately to 
obtain information on Alice's bit, it is a rather obvious conclusion (from fT0|| ) 
that privacy amplification is still effective. Thus, such an individual translu- 
cent attack is ineffective. We deal with a much more sophisticated attack 
in which Eve's measurement is done after the processes of error-correction 
and privacy amplification are completed. Privacy amplification techniques 
were not designed to stand against such attacks, hence their efficiency against 
them is yet unknown. Consider the following collective attack: (1) Eve at- 
taches a separate, uncorrelated probe to each transmitted particle using a 
translucent attack. (2) Eve keeps the probes in a quantum memory (where 
non-orthogonal quantum states can be kept for long time |J) till receiving 
all classical data including error-correction and privacy amplification data. 
(3) Eve performs the optimal measurement on her probes in order to learn 
the maximal information on the final key. The case in which Eve attaches 
one probe (in a large-dimensional Hilbert-space) to all transmitted particles 
is called a joint or coherent attack Qj, and it is the most general possible 
attack. No specific joint attacks were yet suggested; the collective attack 
defined above is the strongest joint attack suggested so far, and there are 
good reasons to believe that it is the strongest possible attack. 

The security of quantum cryptography is very complicated and tricky 
problem. Several security claims done in the past were found later on to 
contain loopholes. Recently, we become aware of three new such claims (TT2], 
|13| , PH . We hope that these approaches, together with our approach really 
produce the solution; yet it is important to have them all, since each of them 
has different advantages. 

Our approach deals with error-correction and privacy amplification, by 
calculating the density matrices which are available to the eavesdropper by 
the time all data transmissions (classical and quantum) are completed. We 
provide an example of collective attacks based on the "translucent attack 
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without entanglement" of [fTI], which leave Eve with probes in a pure state, 
and we prove security against them. These attacks use the unitary trans- 
formation (™ s °) — ► f ™ se ' ) f ™ SQ ) with '+' for i/j Q , and '-' for ^i, where 
is the angle of the states received by Bob, and a is the angle of the 
states in Eve's hand. The error-rate, p e = sin 2 (# — 9'), is the probabil- 
ity that Alice sent ipo and Bob measured ip' . The connection between this 
induced error-rate and the angle a is calculated using the unitarity condi- 



tion |TT| cos 29 = cos 29' cos 2a. For weak attacks which causes small error- 
rate the angle of Eve's probe satisfies a = (p e tan 2 2#) 1//4 , which is (p e ) 1//4 
for 9 = 22.5 deg. In our case, the same translucent attack is performed on 
all the bits, and it leaves Eve with n probes, each in one of the two states 
with c = cos a and s = sin a. As result, Eve holds an n bits string 
x which is concatenated from its bits (x) 2 . . . (x) n . For simplicity, we 
choose the final key to consist of one bit, which is the parity of the n bits. 
Eve wants to distinguish between two density matrices corresponding to the 
two possible values of this parity bit. Our aim is to calculate the optimal 
mutual information she can extract from them. 

For our analysis we need some more notations. Let h(x) be the number 
of l's in x. For two strings of equal length x © y is the bitwise "AND", so 
that the bit (x y)i is one if both {x)i and (y)i are one. Also x © y is the 
bitwise "XOR", so that (x © y)i is zero if and (y)i are the same. For k 
(independent) strings, V\ . . .Vk, of equal length let the set {t>} fc contain the 
2 h linear combinations (vi), . . . , (v k ), (v x ©^i), (vi®v 2 ), . . . ,{v\@v 2 ■ ■ - ®v k ). 
If these strings are not all different, then the original k strings are linearly 
dependent. The quantum state of a string is the tensor product 





I ccc . . . ccc \ 

±CCC . . . CCS 

\ ±sss . . . sss J 



(1) 



leaving in a 2 n dimensional Hilbert space. The sign of the z'th bit (in the 
middle expression) is plus for (x)i = and minus for (x)i = 1. The sign 
of the j'th term (j = . . . 2 n_1 ) in the expression at the right depends on 
the parity of the string x © j and is equal to (— iy( xQ i\ The density matrix 
Px = ipxipx a l so nas f° r an y x i t ne same terms up to the signs. We denote 
the absolute values by pj k = \(p x )jk\- The sign of each term (p x )jk is given 
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by 

r-^\p(xoj) f_iy(xok) _ r_i\p[xe(j®k)] _ ^) 

A priori, all strings are equally probable and Eve needs to distinguish 
between the two density matrices describing the parities. These matrices 
were calculated and analyzed in || (henceforth, the BMS work), and inde- 
pendently in for the case a = tt/4. In case Eve is being told what the 
error-correction code is, all strings consistent with the given error- correct ion 
code (the r sub-parities) are equally probable, and Eve need to distinguish 
between the two density matrices: 

[ — E Px ( 3 ) 

x I U OECCV 

where "OECC" is a shortcut for obeys error-correction code. Let us look 
at two simple examples where n = 5, one with r = 1 and the second with 
r = 2. Suppose that the parity of the first two bits, (x)i and (x) 2 , is p\ = 0. 
Formally, this substring is described by the n-bit string v i = 24 which is 
11000 binary; The number of l's in the first two bits of a string x is given 
by h(x Vi), and x obeys the error-correction code if p(x t>i) — p\. Let Vd 
be the binary string (11111 in this case) which describes the substring of the 
desired parity. Eve could perform the optimal attack on the three bits which 
are left, or in general, on V\ © Vd- For any such case, the optimal attack 
is given by the BMS work and the optimal information depends only on 
n(v\ © Vd), the Hamming distance between the two words. This information 
(using eq. 53 of the BMS work) is 

m = C { 2 k) a2k (4) 

with c = 1 for even n (which equals to 2k) and c = l//n2 for odd n (that is 
h — 2k — 1). Suppose that Eve gets another parity bit p 2 — 1 of the binary 
string 01100 (v2 = 12). Now, a string x obeys the error-correction code if it 
also obeys p{x V2) = P2- Clearly, it also satisfies p[x (vi © v 2 )] = pi ®P2- 
In the general case there are r independent parity strings, and 2 r parity 
strings in the set {v } r . The BMS result cannot be directly used but still 
provides some intuition: For each word (i.e., each parity string) v\ G {v } r , 
let I{n{yi®Vd)) be the optimal information Eve could obtain using eq. Also 



(n,r) _ J- (n,r) 

PO ~ On-r-1 1^ P' x ' Pi 

r 1 ( pO)=o ^ 

•* 1 U OECCV 
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let Isum be the sum of these contributions from all such words. In reality Eve 
cannot obtain I sum since each measurement changes the state of the measured 
bits, hence we expect that I sum bounds her optimal information I to tai from 
above: Itotai < hum- On the other hand, Eve knows all these words at once, 
and could take advantage of it, thus we leave this as an unproven conjecture. 

In the following we find an explicit way to calculate exactly the optimal 
information. However, this exact result requires cumbersome calculations, 
thus it is used only to verify the conjecture for short strings. 

The parity of the full string is also known since the density matrix p( n ' r+1 ) 
corresponds to either po™'^ or pi'^ depending on the desired parity p r +i, 
thus we add the string v r+ \ = Vd- There are r + 1 independent sub-parities 
altogether, hence 2 r+1 parity strings in the set {v } r +i- A string x is included 
in p( n ' r+1 ) if p[x vi] = pi for all given substring in {v } r+1 . In the BMS 
work (where r = 0) the parity density matrices were put in a block diagonal 
form of 2 n_1 blocks of size 2x2. This result can be generalized to the case 
where r parities of substrings are given. There will be 2 n_r_1 blocks of size 
2 r+1 x 2 r+1 . We shall show that the (j/c)'th term in a density matrix p( n ' r+1 ) 
of r + 1 sub-parities is either zero, pjk or —pjk, that is, either all the relevant 
strings contribute exactly the same term, or half of them cancels the other 
half. The proof can be skipped in a first reading. 

Theorem 

The element (p (n ' r+1) ) jfe is zero if j © k {v } r +i, and it is ±Pjk if 
j © k e Mr+i. 

Proof 

In case j © k g {v } r+i choose C such that 
p[C vj\ — with all (f/)'s in {v } r+ i and 

p[C © = 1 (many such C's exists since C has n independent bits 

and it need to fulfill only r + 2 constraints). For such a C and for any 
x which obeys the error- correct ion code there exist one (and only one) 
y, y = x © C, which also obeys the code (due to the first demand) but 
has the opposite sign in the j/c'th element (due to the second demand), 
so (p y )jk = —{Px)jk- Since this is true for any relevant x, we obtain 
(p (n ' r+1) ) ifc = 0. 

In case j © k G {f}>+i such C cannot exists, and all terms must have 
the same sign: Suppose that there are two terms, x and y with op- 



6 



posite signs. Then C = x © y satisfies the two demands, leading to a 
contradiction. 

This theorem tells us the place of all non-vanishing terms in the original 
ordering. The matrices can be reordered to a block-diagonal form by ex- 
changes of the basis vectors. We group the vectors s, s®V\, etc., for all (t>z)'s 
in {f } r +i to be one after the other, so each such group is separated from 
the other groups. Now the theorem implies that all non-vanishing terms are 
grouped in blocks, and all vanishing terms are outside these blocks. As result 
the matrix is block-diagonal. This forms 2 n_r ~ 1 blocks of size 2 r+1 x 2 r+1 . 
All terms inside the blocks and their signs are given by eq. [l] and ||] respec- 
tively up to reordering. The organization of the blocks depends only on the 
parity strings v\ and not on the parities pi, thus, Po™'^ an d Pi are block 
diagonalized in the same basis. The rank of a density matrix is the number 
of (independent) pure states which form it, and it is 2 n_r_1 in case of the par- 
ity matrices (eq. |3|). When these matrices are put in a block diagonal form, 
there are 2 n_r_1 (all non-zero) blocks. Thus, the rank of each block is one, 
the corresponding state is pure, and, when diagonalized, the non-vanishing 
term a,j in the j'th block is the probability that a measurement will result in 
this block. 

In the BMS work (r = 0), the information, in case of small angle, was 
found to be exponentially small with the length of the string. When each 
probe is in a pure state, this result can be generalized to r > as follows: The 
optimal mutual information carried by two pure states (in any dimension) 
is well known. The two possible pure states in the j'ih block of Po and 
Px can be written as The optimal mutual information which 

can be obtained from the j'th block is given by the overlap (the angle j3j) 
Ij = 1 + pj log pj + (1 — pj)log(l — pj), where pj = 1 ~ sl " 3 ; The overlap is 
calculated using eq. [I] and |[ Thus, for any given error-correction code, we 
can find the two pure states in each block, the optimal information Ij, and 
finally, the total information J tota i = J2j a jlj- We did not use the value of 
v d in the proof, and thus, the final key could be the parity of any substring. 
Moreover, a similar method can be used to analyze keys of several bits which 
can be formed from parities of several substrings. 

We wrote a computer program which receives any (short) error-correction 
code and calculates the total information as a function of the angle a between 
the pure states of the individual probes. We checked many short codes (up 
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to n = 8) to verify whether I tota i < I sum as we conjectured. Indeed, all our 
checks showed that the conjecture holds. The information for small angle 
a is bounded by I sum = Ca 2k as previously explained, where C is given by 
summing the terms which contribute to the highest order of eq. f|, and the 
Hamming distance n (which is 2k or 2k — 1), can be increased by choosing 
longer codes to provide any desired level of security. 

In addition to a desirable security level, the error- correct ion code must 
provide also a desirable reliability; A complete analysis must include also 
estimation of the probability pf that Alice and Bob still has wrong (i.e. 
different) final key. For enabling such analysis, one must use known error- 
correction codes. Random Linear Codes allow for such analysis but cannot 
be used efficiently by Alice and Bob. Hamming codes |J, H r which use r 
given parities for correcting one error in strings of length n = 2 r — 1 , have an 
efficient decoding/encoding procedure and a simple way to calculate pf. An 
Hamming code has 2 r words in {v} r , all of them, except 00 ... 0, are at the 
same distance n = 2 r ~ 1 — 1 from vj. Using our conjecture and eq. |] (with 

k= n±l = 2 r-2) we Qbtain /totai < {2 r _ ^g^yr-) +Q ( a (2-D). For 

r = 3 (n = 7) this yields J to tai < 60.6a 4 . The exact calculation done using 
our computer program also gives the same result, showing that the conjecture 
provides an extremely tight bound in this case. Using y 2r -2j < ^j-^ 2r _^ an d 
some calculation we finally obtain 



J total < = v / 2^(2a)( 2r " 1 ) , (5) 



bounding /total to be exponentially small with n [which follows from 2 r_1 = 
(n+l)/2]. 

The rate of errors in the string shared by Alice and Bob (after throwing 
inconclusive results) is the normalized error-rate, p^ = p e /(Pc +Pe), where 
p c = sm(9 + 8') is the probability of obtaining a correct and conclusive result. 
For small a it is p* = s ffi 2g = ^r^a 4 . The final error probability pj is 
given by the probability to have more than one error in the initial string, since 
the code corrects one error. It is pf = n ^ n ~ 1 ^ (p^) 2 + O^np^ ) 3 ], showing 

that we can use the Hamming codes as long as np e « 1. In case it is not, 
better codes such as the BCH codes |§ (which correct more than one error) 
are required, but their analysis is beyond the goals of this paper. 
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In conclusion, we presented new attacks on quantum key distribution 
schemes, directed against the final key, and we proved security against a 
specific one. This result, together with its extension to the analysis of probes 



in mixed state pq , suggest that the optimal information obtained by the 
optimal collective attack shall still show the same behavior as shown in our 
example. Let us explain the intuition that the security against collective 
attacks implies security against any joint attack: Most of the transmitted 
particles are not part of the n-bits string. The correlations between the n 
bits (as specified by the error- correct ion and privacy amplification) as well 
as the random reordering of the bits are not known in advance. It is very 
reasonable that Eve can only lose by searching for such correlations when 
the particles are transmitted through her. Thus, the best she can do is probe 
the particles via the the best collective attack. 

We are grateful to C. H. Bennett, G. Brassard, C. Crepeau, J. Smolin, 
A. Peres and the referees for many helpful discussion. We are especially 
grateful to D. Mayers for his great help and many suggestions; in particular 
for observing [|T7|] that p^ 1 '^ are of a block diagonal form also for r > (he 
proved it independently in another context |E|). We also thank G. Brassard 
and the Universite de Montreal for hosting a productive meeting, which had 
an extremely valuable contribution to this work. 
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